b'                   AUDIT REPORT\n                Audit of NRC\xe2\x80\x99s Deployment of the National\n                         Source Tracking System\n\n                      OIG-10-A-16      August 30, 2010\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                UNITED STATES\n                        NUCLEAR REGULATORY COMMISSION\n                                 WASHINGTON, D.C. 20555-0001\n\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                          August 30, 2010\n\n\nMEMORANDUM TO:             R. William Borchardt\n                           Executive Director for Operations\n\n\n\nFROM:                      Stephen D. Dingbaum /RA/\n                           Assistant Inspector General for Audits\n\n\nSUBJECT:                   AUDIT OF NRC\xe2\x80\x99S DEPLOYMENT OF THE NATIONAL\n                           SOURCE TRACKING SYSTEM (OIG-10-A-16)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) audit report titled, NRC\xe2\x80\x99s\nDeployment of the National Source Tracking System.\n\nThis report presents the results of the subject audit. Agency comments provided during\na July 28, 2010, exit conference have been incorporated, as appropriate, into this\nreport.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG followup as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915 or Beth Serepca, Team Leader, at 415-5912.\n\nAttachment: As stated\n\x0cElectronic Distribution\n\nEdwin M. Hackett, Executive Director, Advisory Committee\n  on Reactor Safeguards\nE. Roy Hawkens, Chief Administrative Judge, Atomic Safety\n  and Licensing Board Panel\nStephen G. Burns, General Counsel\nBrooke D. Poole, Director, Office of Commission Appellate Adjudication\nJames E. Dyer, Chief Financial Officer\nHubert T. Bell, Inspector General\nMargaret M. Doane, Director, Office of International Programs\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nR. William Borchardt, Executive Director for Operations\nMichael F. Weber, Deputy Executive Director for Materials, Waste,\n  Research, State, Tribal, and Compliance Programs, OEDO\nDarren B. Ash, Deputy Executive Director\n  for Corporate Management, OEDO\nMartin J. Virgilio, Deputy Executive Director for Reactor\n  and Preparedness Programs, OEDO\nNader L. Mamish, Assistant for Operations, OEDO\nKathryn O. Greene, Director, Office of Administration\nPatrick D. Howard, Director, Computer Security Office\nRoy P. Zimmerman, Director, Office of Enforcement\nCharles L. Miller, Director, Office of Federal and State Materials\n  and Environmental Management Programs\nCheryl L. McCrary, Director, Office of Investigations\nThomas M. Boyce, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nMichael R. Johnson, Director, Office of New Reactors\nCatherine Haney, Director, Office of Nuclear Material Safety\n  and Safeguards\nEric J. Leeds, Director, Office of Nuclear Reactor Regulation\nBrian W. Sheron, Director, Office of Nuclear Regulatory Research\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJames T. Wiggins, Director, Office of Nuclear Security\n  and Incident Response\nMarc L. Dapas, Acting Regional Administrator, Region I\nLuis A. Reyes, Regional Administrator, Region II\nMark A. Satorius, Regional Administrator, Region III\nElmo E. Collins, Jr., Regional Administrator, Region IV\n\x0c                                        Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\nEXECUTIVE SUMMARY\n\n\n\n                  The National Source Tracking System (NSTS) is a centralized database\n                  developed and managed by the Nuclear Regulatory Commission (NRC) to\n                  help NRC and Agreement State regulatory agencies1 account for select\n                  categories of high-risk radiological sources held by approximately 1,300\n                  licensees.2 Specifically, NSTS is used to monitor transactions and\n                  inventories of nationally tracked sources as defined in Title 10 of the Code\n                  of Federal Regulations, Part 20, Section 1003 (10 CFR 20.1003).3 These\n                  nationally tracked sources include Category 1 and 2 radiological sealed\n                  sources4 that have industrial, medical, and research uses.5 The\n                  International Atomic Energy Agency (IAEA) characterizes Category 1 and\n                  2 sources as radiological materials that pose the greatest health risks if\n                  not safely managed or securely protected.6\n\n                  NRC developed NSTS in response to the U. S. Government\xe2\x80\x99s\n                  endorsement of the IAEA Code of Conduct on the Safety and Security of\n                  Radioactive Sources, which is the current standard used by the\n1\n   The Atomic Energy Act of 1954 allows NRC to delegate to State governments some authority to\nlicense and regulate radiological materials. States that have signed formal regulatory agreements\nwith NRC are known as \xe2\x80\x9cAgreement States.\xe2\x80\x9d\n2\n  Licensees are businesses and other organizations licensed by NRC and Agreement States to possess\nradiological sources.\n3\n   10 CFR 20.1003 defines a nationally tracked source as, \xe2\x80\x9ca sealed source containing a quantity equal to\nor greater than Category 1 or Category 2 levels of any radioactive material listed in Appendix E of this\npart. In this context a sealed source is defined as radioactive material that is sealed in a capsule or\nclosely bonded, in a solid form and which is not exempt from regulatory control. It does not mean\nmaterial encapsulated solely for disposal, or nuclear material contained in any fuel assembly,\nsubassembly, fuel rod, or fuel pellet. Category 1 nationally tracked sources are those containing\nradioactive material at a quantity equal to or greater than the Category 1 threshold. Category 2 nationally\ntracked sources are those containing radioactive material at a quantity equal to or greater than the\nCategory 2 threshold but less than the Category 1 threshold."\n4\n    A table of radiological sources subject to NSTS reporting appears in Appendix A.\n5\n  These sources do not include materials encapsulated solely for disposal, or nuclear materials contained\nin fuel assemblies, subassemblies, fuel rods, or fuel pellets.\n6\n  The IAEA\xe2\x80\x99s five-category scale provides a relative ranking of radiological sources in terms of each\nsource\xe2\x80\x99s potential to cause immediate harmful health effects if not safely managed or securely protected.\nCategory 1 sources are the most hazardous, and can cause permanent injury or death if mishandled;\nCategory 5 sources are the least hazardous, and could not cause permanent injury.\n\n\n                                                      i\n\x0c                                      Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n                international community to govern safety and security of radioactive\n                material based on the IAEA categorization system.7 In addition, the\n                Energy Policy Act of 2005 required NRC to issue regulations establishing\n                a mandatory tracking system for radiation sources in the United States.\n                NRC deployed NSTS in December 2008, thereby enabling licensees to\n                begin reporting radiological source inventories and transactions by\n                January 31, 2009, as required by Title 10 of the Code of Federal\n                Regulations, Part 20, Section 2207.\n\n                NSTS enables licensees to report via the Internet transactions of\n                nationally tracked sources, including the manufacture, import, export,\n                transfer, and receipt of these sources.8 Licensees can also report\n                transaction data by other means such as facsimile, e-mail, or standard\n                mail. Approximately 200 source transactions are processed daily in\n                NSTS.\n\n\n\n\n                The audit\xe2\x80\x99s objective was to determine if the National Source Tracking\n                System meets its required operational capabilities.\n\n\n\n\n                NSTS satisfies basic operational requirements, including functional\n                capabilities for capturing data and security features for protecting data.\n                However, Office of the Inspector General (OIG) auditors developed\n                findings regarding NSTS smart card utilization, data quality, and access\n                controls.\n\n                Licensees Have Not Fully Adopted NSTS Technology\n\n                NSTS was designed primarily to be an Internet-based system enabling\n                direct data entry by licensees. However, a majority of the licensee user\n\n\n\n7\n  A joint Department of Energy /NRC Interagency Working Group on Radiological Dispersal Devices also\nrecommended a national source tracking system following its work during 2002-2003.\n8\n  The Energy Policy Act of 2005 established requirements for identifying individual radiological sources\n(e.g., by serial number), and for reporting any change of possession or loss of control of these materials.\nIn addition, this legislation required a capability for reporting through a secure Internet connection.\n\n\n\n                                                     ii\n\x0c                  Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\npopulation has not fully adopted technology required for direct access to\nNSTS. This trend is caused by challenges inherent in the NSTS\ncredentialing process, as well as technical problems encountered by\nlicensees in using the smart card devices. Further, Help Desk contractor\npersonnel are not always capable of resolving application and set-up\nproblems encountered by NSTS users. As a result, NRC has incurred\nadministrative costs from updating NSTS on behalf of licensees who opt\nnot to enter their source transaction and inventory data into NSTS.\n\nNSTS Has Data Quality Problems with Timeliness and Accuracy\n\nInternal control standards for Federal Government agencies recommend\nthat data be processed in a timely manner to maintain its relevance and\noperational value to management. NSTS is designed with automated\nsecurity controls to ensure the integrity of data entered into the system;\nhowever, OIG auditors found problems with the timeliness of NSTS data\nregarding source transfers. These problems result primarily from the\nprocess by which data is reported and manually uploaded into NSTS.\nAlthough NSTS cannot provide \xe2\x80\x9creal time\xe2\x80\x9d tracking of licensees\xe2\x80\x99 source\ntransactions and inventories, NRC and Agreement State personnel must\nhave reliable information to perform their oversight duties.\n\nLeast Privilege Principle Not Consistently Applied to NSTS Access\nControls\n\nFederal Government internal controls standards for information systems\nrecommend security controls to protect systems and networks from\ninappropriate access and unauthorized use. Although NSTS access rights\nfor licensee personnel are scaled to individual users\xe2\x80\x99 job needs, some\nNRC staff have broader access rights that do not reflect individuals\xe2\x80\x99 job\nneeds or organizational roles. This occurs because NRC lacks a\nprocedure for scaling staff access rights to their respective job needs.\nAlthough OIG auditors did not find evidence of internal NSTS data\nbreaches, the lack of a procedure to ensure consistent application of the\nleast privilege principle increases the risk that NSTS data could be\nintentionally or accidentally compromised.\n\n\n\n\n                               iii\n\x0c                 Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n\n\nThis report makes four recommendations. A consolidated list of\nrecommendations appears in Section IV of this report.\n\n\n\n\nAt an exit conference held on July 28, 2010, agency management stated\ntheir general agreement with the findings and recommendations in this\nreport. Agency management also provided supplemental information that\nhas been incorporated into this report as appropriate. As a result, the\nagency opted not to provide formal comments for inclusion in this report.\n\n\n\n\n                              iv\n\x0c                 Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\nABBREVIATIONS AND ACRONYMS\n\n     CFR     Code of Federal Regulations\n\n     CSO     Computer Security Office\n\n     FSME    Office of Federal and State Materials and Environmental\n             Management Programs\n\n     FTE     Full Time Equivalent\n\n     IAEA    International Atomic Energy Agency\n\n     NIST    National Institute of Standards and Technology\n\n     NRC     Nuclear Regulatory Commission\n\n     NSTS    National Source Tracking System\n\n     OIG     Office of the Inspector General\n\n     OIS     Office of Information Services\n\n     OMB     Office of Management and Budget\n\n\n\n\n                              v\n\x0c                                 Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\nTABLE OF CONTENTS\n\n        EXECUTIVE SUMMARY ............................................................................ i\n\n        ABBREVIATIONS AND ACRONYMS ........................................................ v\n\n        I.    BACKGROUND .................................................................................. 1\n\n        II.   PURPOSE .......................................................................................... 5\n\n        III. FINDINGS ........................................................................................... 6\n\n                 A. Licensees Have Not Fully Adopted\n                    NSTS Technology...................................................................... 6\n\n                 B. NSTS Has Data Quality Problems with Timeliness\n                    and Accuracy ........................................................................... 10\n\n                 C. Least Privilege Principle Not Consistently Applied\n                    to NSTS Access Controls ........................................................ 13\n\n        IV. CONSOLIDATED LIST OF RECOMMENDATIONS ......................... 15\n\n        V. AGENCY COMMENTS ..................................................................... 15\n\n\n    APPENDICES\n\n        A. TABLE OF NATIONALLY TRACKED SOURCES\n           LISTED IN 10 CFR 20, APPENDIX E................................................. 16\n\n        B. NRC FORM 748 NSTS TRANSACTION REPORT ............................ 17\n\n        C. SURVEY DISTRIBUTED TO AGREEMENT STATE\n           PERSONNEL ..................................................................................... 18\n\n        D. SURVEY DISTRIBUTED TO LICENSEE PERSONNEL .................... 21\n\n        E. SCOPE AND METHODOLOGY ......................................................... 24\n\n\n\n                                                  vi\n\x0c                                        Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\nI.        BACKGROUND\n\n                  National Source Tracking System Overview\n\n                  The National Source Tracking System (NSTS) is a centralized database\n                  developed and managed by the Nuclear Regulatory Commission (NRC) to\n                  help NRC and Agreement State regulatory agencies9 account for select\n                  categories of high-risk radiological sources held by approximately 1,300\n                  licensees.10 Specifically, NSTS is used to monitor transactions and\n                  inventories of nationally tracked sources as defined in Title 10 of the Code\n                  of Federal Regulations, Part 20, Section 1003 (10 CFR 20.1003).11 These\n                  nationally tracked sources include Category 1 and 2 radiological sealed\n                  sources12 that have industrial, medical, and research uses.13 The\n                  International Atomic Energy Agency (IAEA) characterizes Category 1 and\n                  2 sources as radiological materials that pose the greatest health risks if\n                  not safely managed or securely protected.14\n\n                  NRC developed NSTS in response to the U. S. Government\xe2\x80\x99s\n                  endorsement of the IAEA Code of Conduct on the Safety and Security of\n                  Radioactive Sources, which is the current standard used by the\n9\n   The Atomic Energy Act of 1954 allows NRC to delegate to State governments some authority to\nlicense and regulate radiological materials. States that have signed formal regulatory agreements\nwith NRC are known as \xe2\x80\x9cAgreement States.\xe2\x80\x9d\n10\n  Licensees are businesses and other organizations licensed by NRC and Agreement States to possess\nradiological sources.\n11\n   10 CFR 20.1003 defines a nationally tracked source as, \xe2\x80\x9ca sealed source containing a quantity equal\nto or greater than Category 1 or Category 2 levels of any radioactive material listed in Appendix E of this\npart. In this context a sealed source is defined as radioactive material that is sealed in a capsule or\nclosely bonded, in a solid form and which is not exempt from regulatory control. It does not mean\nmaterial encapsulated solely for disposal, or nuclear material contained in any fuel assembly,\nsubassembly, fuel rod, or fuel pellet. Category 1 nationally tracked sources are those containing\nradioactive material at a quantity equal to or greater than the Category 1 threshold. Category 2 nationally\ntracked sources are those containing radioactive material at a quantity equal to or greater than the\nCategory 2 threshold but less than the Category 1 threshold."\n12\n     A table of radiological sources subject to NSTS reporting appears in Appendix A.\n13\n  These sources do not include materials encapsulated solely for disposal, or nuclear materials\ncontained in fuel assemblies, subassemblies, fuel rods, or fuel pellets.\n14\n  The IAEA\xe2\x80\x99s five-category scale provides a relative ranking of radiological sources in terms of each\nsource\xe2\x80\x99s potential to cause immediate harmful health effects if not safely managed or securely protected.\nCategory 1 sources are the most hazardous, and can cause permanent injury or death if mishandled;\nCategory 5 sources are the least hazardous, and could not cause permanent injury.\n\n\n                                                      1\n\x0c                                        Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n                   international community to govern safety and security of radioactive\n                   material based on the IAEA categorization system.15 In addition, the\n                   Energy Policy Act of 2005 required NRC to issue regulations establishing\n                   a mandatory tracking system for radiation sources in the United States.\n                   NRC deployed NSTS in December 2008, thereby enabling licensees to\n                   begin reporting radiological source inventories and transactions by\n                   January 31, 2009, as required by 10 CFR 20.2207.\n\n                   NSTS enables licensees to report via the Internet transactions of\n                   nationally tracked sources, including the manufacture, import, export,\n                   transfer, and receipt of these sources.16 Licensees can also report source\n                   transaction data by other means such as facsimile, e-mail, or standard\n                   mail. Approximately 200 source transactions are processed daily in\n                   NSTS.\n\n                   Program Offices\n\n                   The Office of Federal and State Materials and Environmental\n                   Management Programs (FSME) is responsible for NSTS operations.\n                   FSME staff conduct training for Agreement State and licensee personnel,\n                   and maintain an Internet page offering user guidance and program\n                   updates. FSME staff also monitor data in NSTS, and conduct an annual\n                   inventory review in which licensees compare their physical inventories\n                   with NSTS inventory data, and reconcile any discrepancies between the\n                   two.17 A contractor operates and maintains NSTS for FSME, and also\n                   processes data submitted by licensees for entry into NSTS.18 The FSME\n                   contractor also runs the NSTS Help Desk, whose personnel provide\n                   technical assistance to NSTS users. As of March 2010, total obligated\n\n\n\n\n15\n   A joint Department of Energy-NRC Interagency Working Group on Radiological Dispersal Devices also\nrecommended a national source tracking system following its work during 2002-2003.\n16\n   The Energy Policy Act of 2005 established requirements for identifying individual radiological sources\n(e.g., by serial number), and for reporting any change of possession or loss of control of these materials.\nIn addition, this legislation required a capability for reporting through a secure Internet connection.\n\n17\n  This \xe2\x80\x9cannual inventory reconciliation\xe2\x80\x9d is required by 10 CFR 20.2207. Licensees must validate their\ninventory data in NSTS by January 31 of each year.\n18\n     For clarity, this report refers to FSME\xe2\x80\x99s NSTS contractor as the \xe2\x80\x9cFSME contractor.\xe2\x80\x9d\n\n\n\n                                                       2\n\x0c                                          Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n                   funding for the NSTS contract was approximately $20 million, which\n                   included approximately $10.8 million for operations, maintenance, and\n                   user support.19 Graph 1 illustrates a breakout of operational support,\n                   maintenance, and user support contract costs current as of March 2010.\n\n                   NSTS Program Resources\n\n                   Graph 1: Obligated Contract Funds for NSTS Operational Support,\n                   Maintenance, and User Support\n\n\n                NSTS Contract Obligations for Operational Support,\n                        Maintenance, and User Support\n                                  (in $Millions)\n NSTS User\n  Support\n   $3.9M\n\n\n                                                                                           NSTS Operational\n                                                                                              Support\n                                                                                               $5.2M\n\n\n\n\n     NSTS\n     Maintenance\n     $1.7M\nSource: OIG Analysis\n\n\n                   The Office of Information Services (OIS) supports NSTS by managing a\n                   contract for credentialing NSTS users and providing users with equipment\n                   needed to access NSTS via the Internet.20 OIS provides credentialing\n                   services for other NRC programs under this agencywide contract;\n                   however, contract costs directly attributable to NSTS were approximately\n                   $3.2 million from October 2008 through March 2010. In addition to\n                   contract management, OIS staff assist NSTS users with technical\n                   problems that the NSTS Help Desk cannot resolve.\n\n\n19\n The remaining $9.2 million in contract obligations reflect NSTS development tasks.\n20\n     For clarity, this report refers to OIS\xe2\x80\x99s credentialing contractor as the \xe2\x80\x9cOIS contractor.\xe2\x80\x9d\n\n\n                                                          3\n\x0c                  Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\nThe Computer Security Office (CSO) is responsible for ensuring that\nNSTS complies with the Federal Information Security Management Act\n(FISMA), which outlines the information security management\nrequirements for Federal agencies. As part of this effort, CSO conducts\nannual testing of automated and procedural security controls listed in the\nNSTS system security plan to ensure these controls function as planned.\nIn addition to ensuring FISMA compliance, CSO staff lead incident\nresponse activities in the event of an information system breach.\n\nNRC staff based in all of the regional offices use NSTS data for\nconducting inspections of licensees. Some region-based staff also serve\non temporary assignments in support of NSTS program operations. In\ntotal, NRC committed 7.4 direct full-time equivalent personnel (FTE) to the\nNSTS program in Fiscal Year 2009, and 5.8 FTE through the second\nquarter of Fiscal Year 2010. Although several headquarters offices\nsupport NSTS, only FSME and OIS had direct labor charges to the\nprogram.\n\nNSTS User Credentialing\n\nTo access NSTS online, users must become credentialed through a multi-\nstep process. After NRC staff identify potential NSTS online users based\non their job requirements, the first step in credentialing requires an\napplicant to enroll online. The second step is to review and approve the\nonline application. In the third step, OIS contractor personnel mail an\nenrollment package to prospective NSTS users, who must complete forms\nin their enrollment packages, sign an identity declaration in the presence\nof a public notary, and return the completed enrollment packages to the\nOIS contractor. Finally, after receiving the completed enrollment\npackages, OIS contractor personnel verify the identity and employment\nstatus of each prospective NSTS user.\n\nFollowing successful completion of the application process, each NSTS\nuser receives a \xe2\x80\x9csmart card\xe2\x80\x9d and card reader. Smart cards help prevent\nunauthorized access to NSTS by authenticating users when they log into\nthe system via the Internet. Figure 1 depicts an NSTS smart card.\n\n\n\n\n                               4\n\x0c                                       Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n                 Figure 1: NSTS Smart Card Illustration\n\n\n\n\nSource: NRC\n\n\n                 Upon receiving this equipment, an NSTS user must download digital\n                 certificates21 onto the smart card, and install on his/her computer software\n                 that enables the smart card equipment to function. Once NSTS users set\n                 up this hardware and software on their computers, FSME staff activate\n                 users\xe2\x80\x99 accounts, thereby enabling them to read and enter data into NSTS.\n\n\n\nII.   PURPOSE\n\n                 The audit\xe2\x80\x99s objective was to determine if the National Source Tracking\n                 System meets its required operational capabilities. See Appendix E for\n                 more information on the audit scope and methodology.\n\n\n\n\n21\n   A digital certificate is an electronic identifier that establishes a user\xe2\x80\x99s credentials when processing\ntransactions on the Internet. NSTS is designed with multi-factor authentication to verify each user\xe2\x80\x99s\nidentity. System users must enter a user name and password in conjunction with their smart cards to\ngain access to NSTS.\n\n\n                                                      5\n\x0c                                    Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\nIII. FINDINGS\n\n               NSTS satisfies basic operational requirements, including functional\n               capabilities for capturing data and security features for protecting data.22\n               Further, an NSTS configuration control board comprised of NRC staff,\n               information technology contractors, Agreement State representatives, and\n               a representative from industry meets several times a year to evaluate\n               potential system upgrades on a cost-benefit basis. This internal control\n               mechanism enables NRC to gather feedback from system users on ways\n               to improve NSTS functionality, and provides NRC management with\n               information to guide resourcing decisions. During this audit, Office of the\n               Inspector General (OIG) auditors developed findings and associated\n               recommendations regarding NSTS smart card utilization, data quality, and\n               access controls. By addressing these issues, NRC can improve program\n               efficiency and strengthen oversight of licensees that possess and transfer\n               Category 1 and 2 radiological sealed sources.\n\n       A. Licensees Have Not Fully Adopted NSTS Technology\n\n               NSTS was designed primarily to be an Internet-based system enabling\n               direct data entry by licensees. However, a majority of the licensee user\n               population has not fully adopted technology required for direct access to\n               NSTS. This trend is caused by challenges inherent in the NSTS\n               credentialing process, as well as technical problems encountered by\n               licensees in using the smart card devices. Further, Help Desk contractor\n               personnel are not always capable of resolving application and set-up\n               problems encountered by NSTS users. As a result, NRC has incurred\n               administrative costs from updating NSTS on behalf of licensees who opt\n               not to enter their source transaction and inventory data into NSTS.\n\n               NSTS Is Designed Primarily for Internet-Based Use\n\n               Since the early stages of system development, NSTS was designed\n               primarily to be an Internet-based system enabling direct data entry by\n               licensees. The NSTS System Requirements and Needs Analyses\n               supporting system design explicitly state this assumption and note that\n\n22\n  CSO performed the first annual security controls testing of NSTS in March 2010 to determine\ncompliance with security requirements documented in the System Security Plan, and to verify that the\nsecurity controls identified in the plan are correctly implemented. CSO recommended enhancements for\n7 of the 128 controls tested.\n\n\n                                                  6\n\x0c                                       Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n                  licensees need a Web-based interface for \xe2\x80\x9cnear real-time\xe2\x80\x9d reporting.\n                  NRC\xe2\x80\x99s Office of Management and Budget (OMB) Exhibit 300 submission,\n                  which declares costs and benefits of NRC information technology\n                  investments to OMB, describes qualitative benefits expected to result from\n                  NSTS\xe2\x80\x99s Internet-based architecture, such as minimized data processing\n                  time and ready support for an expandable user base.\n\n                  Licensees Have Not Adopted Technology Needed for Internet Access\n                  to NSTS\n\n                  Despite these assumptions, the licensee user population has not fully\n                  adopted technology required for direct Internet access to NSTS. For\n                  example, an NRC staff analysis estimated that only one-third of licensee\n                  personnel who must report source data to NSTS had online system\n                  access by November 2009. The analysis predicted that the population of\n                  licensees with direct access to NSTS would not increase substantially.\n                  This analysis is reinforced by May 2010 data showing that about 41\n                  percent of licensees23 had one or more credentialed users at this point in\n                  time.24 Further, OIG auditors\xe2\x80\x99 survey of licensee personnel who are listed\n                  as active NSTS users (i.e., users with active NSTS accounts) found that\n                  approximately 31 percent of the respondents typically report transaction\n                  data to NRC by facsimile.25\n\n                  Credentialing and Technical Issues Present Challenges to\n                  Online Use\n\n                  Licensees\xe2\x80\x99 low participation in using NSTS Internet-based technology is\n                  caused by challenges inherent in the NSTS credentialing process, as well\n                  as technical problems encountered by licensees in their deployment and\n                  use of smart card devices. Credentialing process challenges include\n                  rigorous standards for completing NSTS application documents, which do\n                  not allow for even minor discrepancies between an applicant\xe2\x80\x99s personal\n                  information as stated on these documents and corresponding information\n                  in NRC\xe2\x80\x99s records.26 Such discrepancies result in rejection of credentialing\n\n23\n     537 of 1,321 licensees.\n24\n     An additional 17 users were undergoing the credentialing process.\n25\n     See Appendix D for information on survey methodology.\n26\n  After OIG auditors completed fieldwork for this report, agency staff presented plans to streamline\nemployment verification and identity proofing procedures. NRC staff expect the revised procedures to\n\n\n                                                      7\n\x0c                                    Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n               applications, thereby obligating the applicant to restart the credentialing\n               process. Further obstacles include the efforts associated with completing\n               applications and submitting notarized identity declarations. Process lag\n               time presents yet another credentialing obstacle; although NRC aims for a\n               30-day turnaround time, nearly one half of licensees surveyed by OIG\n               auditors reported a 2- to 6-month wait to complete NSTS applications and\n               gain access to the system.\n\n               Technical challenges present further obstacles to online use of NSTS.\n               First, NSTS users must install card readers, download digital certificates,\n               and download card reader software within 30 days of completing the\n               credentialing process; failure to do so results in account deactivation.\n               Second, users must configure their computers to be compatible with\n               NSTS, which may require technical support for users who are less skilled\n               or have less familiarity with information technology. In some cases, users\xe2\x80\x99\n               network security settings prevent their computers from connecting to\n               NSTS. Third, some operating systems and Internet browsers are not\n               compatible with NSTS.27 Lastly, NSTS users have encountered technical\n               problems that NSTS Help Desk personnel could not immediately resolve.\n\n               Licensees Shift Administrative Burden of Data Reporting to NRC\n\n               As a result of low direct use of NSTS by licensee personnel, NRC has\n               incurred costs associated with the administrative burden of processing\n               NSTS data on behalf of licensees. These costs are most clearly reflected\n               in NSTS Help Desk and user support contract ceilings, which increased 54\n               percent during the first year of operation from $2.52 million to $3.87\n               million. According to NRC staff, these cost increases are largely\n               attributable to unanticipated need for Help Desk support and data entry\n               work performed on behalf of licensees who do not report their data directly\n               to NSTS via the Internet. Moreover, these contract costs do not account\n               for the resource impact on NRC staff who support licensee personnel with\n               technical troubleshooting and correction of erroneous data.\n\n\nreduce the number of licensees whose NSTS applications are rejected because of minor discrepancies\nbetween employment information in NRC licensing documents and State government records.\n27\n  These include the Microsoft Vista and Windows 2000 operating systems, Apple operating systems, and\nApple and Firefox browsers.\n\n\n\n\n                                                 8\n\x0c                  Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n1. Assess the feasibility of alternative credentialing strategies, such as:\n\n    a. Targeting select types of licensees for smart card use based on\n       risk, business case justification, or other criteria.\n\n    b. Reviewing NSTS e-authentication risk assessment for currency\n       and, if appropriate, identify technological alternatives to smart card\n       authentication.\n\n2. Develop and implement a policy to ensure Help Desk staff are kept\n   current regarding credentialing and technical issues that may\n   adversely impact NSTS applicants and users.\n\n\n\n\n                               9\n\x0c                                     Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n          B. NSTS Has Data Quality Problems with Timeliness and Accuracy\n\n                   Internal control standards for Federal Government agencies recommend\n                   that data be processed in a timely manner to maintain its relevance and\n                   operational value to management. NSTS is designed with automated\n                   security controls to ensure the integrity of data entered into the system;\n                   however, OIG auditors found problems with the timeliness of NSTS data\n                   regarding transfers of nationally tracked sources. These problems result\n                   primarily from the process by which data is reported and manually\n                   uploaded into NSTS. Although NSTS cannot provide \xe2\x80\x9creal time\xe2\x80\x9d tracking\n                   of licensees\xe2\x80\x99 transactions and inventories, NRC and Agreement State\n                   personnel must have reliable information to perform their oversight duties.\n\n                   Government Agencies Should Ensure Timeliness and Accuracy of\n                   Data Processed by Agency Systems\n\n                   General internal control standards for Federal Government agencies\n                   recommend that data be processed in a timely manner to maintain its\n                   relevance and operational value to management. Likewise, internal\n                   control standards for Government information systems recommend\n                   automated and administrative controls to ensure the accuracy and validity\n                   of data processed by agencies\xe2\x80\x99 systems.\n\n                   High Percentages of Source Transfer Records Are Incomplete\n\n                   NSTS is designed with automated security controls to ensure the integrity\n                   of data entered into the system; however, OIG auditors found problems\n                   with the timeliness and accuracy of NSTS data. For example, one report\n                   from December 2009 showed that about 19 percent28 of nationally tracked\n                   source transfers were at least 6-months \xe2\x80\x9coverdue\xe2\x80\x9d \xe2\x80\x93 that is, licensees had\n                   reported outbound shipments, but the shipments lacked receipt records in\n                   NSTS indicating that these shipments had reached their intended\n                   destinations. Similarly, another report generated in April 2010 showed\n                   that approximately 19 percent29 of shipments were at least 30-days\n                   \xe2\x80\x9coverdue.\xe2\x80\x9d Shipments that appear \xe2\x80\x9coverdue\xe2\x80\x9d in NSTS are not necessarily\n                   lost or misdirected. According to FSME staff, there were no reports of lost\n                   or missing nationally tracked sources during the time of this audit. Rather,\n28\n     106 of 560 transactions.\n29\n     242 of 1,276 transactions.\n\n\n\n                                                 10\n\x0c                                      Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n                   some cases reflect backlogged reports. In other instances, anomalies may\n                   reflect data entry errors such as reports of shipments that never occurred,\n                   licensees reporting of sub-Category 2 radiological sources,30 and\n                   duplication of shipment records.31\n\n                   NSTS Data Quality Problems Result From Reliance on Manual\n                   Processes for Reporting Data\n\n                   Problems with the accuracy and timeliness of transaction data in NSTS\n                   result from the process by which data is reported and manually uploaded\n                   into NSTS. Although NSTS is designed to enable direct data entry by\n                   credentialed licensee personnel, most transactions are processed by\n                   NRC\xe2\x80\x99s contractor on behalf of licensees. For example, a December 2009\n                   report showed that the FSME contractor processed approximately 70\n                   percent32 of transactions during that month. Likewise, a report for one\n                   week in April 2010 showed that about 48 percent of outgoing source\n                   shipments were entered online by licensees,33 and approximately 28\n                   percent of shipment receipts were entered online by licensees.34\n\n                   Licensees who do not enter their own transaction and inventory data into\n                   NSTS typically send this information by facsimile35 to the FSME contractor\n                   site, where multiple contractor personnel are involved in processing the\n                   data. FSME contractor personnel log receipt of each facsimile, and must\n                   work directly with licensees to resolve problems such as incomplete or\n                   illegible information. FSME contractor personnel have tried various\n                   approaches for managing document flow but acknowledged some\n\n30\n  NRC regulations do not require licensees to report shipments and inventories of sub-Category 2\nsources to NSTS; however, some licensees report this information.\n31\n  Duplicate records can appear in NSTS when a licensee reports receipt of a nationally tracked source\nshipment before the sender\xe2\x80\x99s shipment information has been uploaded to NSTS. In such cases, the\nrecipient must create a placeholder shipment record in NSTS to correspond with the receipt record.\nWhen the sender\xe2\x80\x99s shipment information is later uploaded to NSTS, this creates a duplicate \xe2\x80\x9csent\xe2\x80\x9d\nshipment record.\n32\n     2,025 of 2,910 transactions.\n33\n     262 of 547 outgoing shipments.\n34\n     36 of 127 receipts.\n35\n  To report NSTS data by facsimile or mail, licensees must submit a completed NRC Form 748\ndescribing source types, serial numbers, transaction dates, and other relevant information. See Appendix\nB for a sample NRC Form 748.\n\n\n\n                                                  11\n\x0c                                       Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n                 difficulties, particularly during high-volume work periods. An NRC internal\n                 analysis completed in January 2010 also found problems with the FSME\n                 contractor\xe2\x80\x99s document controls, citing reports by licensees of NSTS data\n                 that remained incorrect despite licensees\xe2\x80\x99 repeated efforts to submit\n                 correct information to the FSME contractor. In addition, licensees do not\n                 receive notification when the FSME contractor receives their Form 748s;\n                 as a result, licensees may be unaware of failed or incomplete facsimile\n                 transmissions.36\n\n                 Lack of Timely, Accurate Data Could Compromise Oversight and\n                 Emergency Response\n\n                 Federal and State Government officials need reliable information to\n                 perform their oversight duties and respond to emergencies. Untimely and\n                 inaccurate data in NSTS can weaken oversight of licensees because NRC\n                 and Agreement State regulators use NSTS data for inspections as well as\n                 the annual review of licensee inventories. In the event of a serious\n                 emergency, untimely and inaccurate data could compromise authorities\xe2\x80\x99\n                 response planning and hinder effective deployment of emergency\n                 response assets to protect public health and safety. Further, the\n                 legislative mandate for NSTS reflects Congress\xe2\x80\x99s concern that\n                 Government officials maintain visibility over radiological materials that\n                 could present safety hazards and security risks if lost or stolen.\n\n                 Recommendation\n\n                 OIG recommends that the Executive Director for Operations:\n\n                 3. Develop and implement document control policies and processes to\n                    improve accountability for NSTS data submitted by licensees to NRC\n                    for uploading to NSTS.\n\n\n\n\n36\n  FSME contractor personnel cited cases in which they received blank or illegible Form 748s via\nfacsimile, but lacked contact information to notify licensees of the need to re-transmit the forms. After this\naudit was completed, FSME staff told OIG auditors that NRC is working with the FSME contractors to\nimplement an e-mail system to acknowledge receipt of 748s submitted via facsimile. Staff expect this\nsystem to be implemented by late summer 2010.\n\n\n                                                      12\n\x0c                                     Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n        C. Least Privilege Principle Not Consistently Applied to NSTS Access\n           Controls\n\n                Federal Government internal controls standards for information systems\n                recommend security controls to protect systems and networks from\n                inappropriate access and unauthorized use. Although NSTS access rights\n                for licensee personnel are scaled to individual users\xe2\x80\x99 job needs, some\n                NRC staff have broader access rights that do not reflect individuals\xe2\x80\x99 job\n                needs or organizational roles. This occurs because NRC lacks a\n                procedure for scaling staff access rights to their respective job needs.\n                Although OIG auditors did not find evidence of internal NSTS data\n                breaches, the lack of a procedure to ensure consistent application of the\n                least privilege principle increases the risk that NSTS data could be\n                intentionally or accidentally compromised.\n\n                Access Rights Should Reflect Individual and Organizational\n                Business Needs\n\n                Federal Government internal controls standards for information systems\n                recommend access security controls to protect systems and networks\n                from inappropriate access and unauthorized use. Specifically, National\n                Institute of Standards and Technology guidance37 recommends the \xe2\x80\x9cleast\n                privilege\xe2\x80\x9d principle, according to which access privileges are scaled to\n                information system users\xe2\x80\x99 individual and organizational needs.\n\n                Some Staff Access Rights Not Scaled to Business Needs\n\n                Although NSTS access rights for licensee personnel are scaled to\n                individual users\xe2\x80\x99 job needs, some NRC staff have broader access rights\n                that do not reflect their job needs or organizational roles. One\n                headquarters employee reported having edit capabilities that were not\n                necessary for routine work, and said that office management had\n                instructed staff not to edit NSTS data. In addition, OIG auditors found that\n                one employee had edit rights while on a temporary assignment, but\n                retained edit rights 2 months after this assignment ended.38\n\n37\n  National Institute of Standards and Technology, Special Publication 800-53, Recommended Security\nControls for Federal Information Systems and Organizations, Revision 3; August 2009.\n38\n  This staff member reportedly notified a branch chief and the NSTS Help Desk of the situation, but no\nchange in edit rights resulted.\n\n\n\n                                                   13\n\x0c                                     Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n                NRC Lacks Procedure for Scaling Staff Access Rights to Business\n                Needs\n\n                Some NRC staff possess unneeded NSTS edit rights because NRC lacks\n                a procedure for ensuring individual staff access rights are scaled to their\n                respective job needs. FSME staff told OIG auditors that NRC\n                management has raised concerns and requested a \xe2\x80\x9cread only\xe2\x80\x9d option for\n                staff who need to view, but not edit, NSTS data. However, during the time\n                of this audit, NRC had not implemented this \xe2\x80\x9cread only\xe2\x80\x9d option on an as-\n                needed basis.39\n\n                Increased Risk of Data Breach\n\n                Granting NSTS users access rights that exceed individual or\n                organizational business needs increases the risk that NSTS data could be\n                intentionally or accidentally compromised. Although NSTS automatically\n                logs edits, NRC staff and contractors who administer the system must\n                monitor it for suspicious activity. Applying the principle of least privilege to\n                NRC staff who use NSTS would provide an automated control to prevent\n                accidental data loss or corruption, and reduce the manual monitoring\n                burden for NRC staff who administer NSTS.\n\n                Recommendation\n\n                OIG recommends that the Executive Director for Operations:\n\n                4. Implement \xe2\x80\x9cread only\xe2\x80\x9d capability in NSTS for NRC staff who must use\n                   NSTS, but do not need edit rights to conduct duties in accordance with\n                   individual or organizational business needs.\n\n\n\n\n39\n  NRC staff have performed a review of staff access rights to the NSTS, established access controls, and\nare formalizing a procedure for the continual monitoring of user accounts.\n\n\n                                                  14\n\x0c                          Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\nIV. CONSOLIDATED LIST OF RECOMMENDATIONS\n\n        OIG recommends that the Executive Director for Operations:\n\n        1. Assess the feasibility of alternative credentialing strategies, such as:\n\n            a. Targeting select types of licensees for smart card use based on\n               risk, business case justification, or other criteria.\n\n            b. Reviewing NSTS e-authentication risk assessment for currency\n               and, if appropriate, identify technological alternatives to smart card\n               authentication.\n\n        2. Develop and implement a policy to ensure Help Desk staff are kept\n           current regarding credentialing and technical issues that may\n           adversely impact NSTS applicants and users.\n\n        3. Develop and implement document control policies and processes to\n           improve accountability for NSTS data submitted by licensees to NRC\n           for uploading to NSTS.\n\n        4. Implement \xe2\x80\x9cread only\xe2\x80\x9d capability in NSTS for NRC staff who must use\n           NSTS, but do not need edit rights to conduct duties in accordance with\n           individual or organizational business needs.\n\n\n\nV. AGENCY COMMENTS\n\n        At an exit conference held on July 28, 2010, agency management stated\n        their general agreement with the findings and recommendations in this\n        report. Agency management also provided supplemental information that\n        has been incorporated into this report as appropriate. As a result, the\n        agency opted not to provide formal comments for inclusion in this report.\n\n\n\n\n                                      15\n\x0c                                     Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n                                                                                          Appendix A\nTABLE OF NATIONALLY TRACKED SOURCES LISTED IN\n10 CFR 20, APPENDIX E\n\n                  The Terabecquerel (TBq) values are the regulatory standard. The\n                  curie (Ci) values specified are obtained by converting from the TBq\n                  value. The curie values are provided for practical usefulness only and\n                  are rounded after conversion.\n\n\n\nRadioactive material     Category 1 (TBq)   Category 1 (Ci)   Category 2 (TBq)   Category 2 (Ci)\nActinium-227             20                 540               0.2                5.4\nAmericium-241            60                 1,600             0.6                16\nAmericium-241/Be         60                 1,600             0.6                16\nCalifornium-252          20                 540               0.2                5.4\nCobalt-60                30                 810               0.3                8.1\nCurium-244               50                 1,400             0.5                14\nCesium-137               100                2,700             1                  27\nGadolinium-153           1,000              27,000            10                 270\nIridium-192              80                 2,200             0.8                22\nPlutonium-238            60                 1,600             0.6                16\nPlutonium-239/Be         60                 1,600             0.6                16\nPolonium-210             60                 1,600             0.6                16\nPromethium-147           40,000             1,100,000         400                11,000\nRadium-226               40                 1,100             0.4                11\nSelenium-75              200                5,400             2                  54\nStrontium-90             1,000              27,000            10                 270\nThorium-228              20                 540               0.2                5.4\nThorium-229              20                 540               0.2                5.4\nThulium-170              20,000             540,000           200                5,400\n\nYtterbium-169            300                8,100             3                  81\n\n\n\n\n                                                    16\n\x0c                   Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n                                                                   Appendix B\nNRC FORM 748 NSTS TRANSACTION REPORT\n\n\n\n\n                               17\n\x0c                         Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n                                                                             Appendix C\n\n\nSURVEY DISTRIBUTED TO AGREEMENT STATE PERSONNEL\n\n        OIG auditors sent a survey questionnaire by e-mail to 42 Agreement State\n        personnel to gather feedback regarding deployment and use of NSTS,\n        and received 38 responses. This was a non-statistical survey;\n        consequently, results cannot be projected to the entire population of\n        Agreement State personnel who use NSTS. However, the survey\xe2\x80\x99s high\n        response rate gives auditors confidence that survey results provide\n        relevant information about Agreement State user experiences. A copy of\n        the survey questionnaire follows.\n\n\n\n\n                                     18\n\x0cAudit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n\n\n            19\n\x0cAudit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n\n\n            20\n\x0c                          Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n                                                                              Appendix D\nSURVEY DISTRIBUTED TO LICENSEE PERSONNEL\n\n        OIG auditors sent a survey questionnaire by e-mail to 68 licensee\n        personnel to gather feedback regarding deployment and use of NSTS.\n        Auditors selected these personnel from NRC records of active NSTS\n        accounts and transaction data. Auditors received 27 responses. This was\n        a non-statistical survey; consequently, results cannot be projected to the\n        entire population of licensee personnel who use NSTS. However, auditors\n        stratified this survey to obtain information from licensees characterized as\n        high, medium, and low-volume users based on their respective rates of\n        transactions performed in NSTS. The survey\xe2\x80\x99s response rate, which\n        includes responses from all three groups of high, medium, and low-volume\n        users, gives auditors confidence that survey results provide relevant\n        information about user experiences from a diverse group of licensee\n        organizations. A copy of the survey questionnaire follows.\n\n\n\n\n                                      21\n\x0cAudit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n\n\n            22\n\x0cAudit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n\n\n            23\n\x0c                         Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\n                                                                             Appendix E\nSCOPE AND METHODOLOGY\n\n       The objective of this audit was to determine if the National Source\n       Tracking System meets its required operational capabilities.\n\n       Auditors reviewed Federal Government laws and regulations, NRC\n       guidance, security controls, and internal controls associated with the\n       National Source Tracking System to include:\n\n          2005 Energy Policy Act.\n          The Code of Federal Regulations.\n          National Institute of Standards and Technology Special Publications.\n          Federal Bridge Certification Authority Certificate Policy.\n          Government Accountability Office Standards for Internal Control in the\n          Federal Government.\n\n       Auditors interviewed staff from FSME, OIS, CSO and contractors who\n       have worked with NSTS. Auditors reviewed contract documents, NSTS\n       reports, e-mail correspondence, NSTS information system design\n       documents, and briefing materials. Auditors provided a survey to\n       Agreement State and licensee personnel, and analyzed the survey results.\n       Appendixes C and D contain copies of the survey forms distributed to\n       Agreement State and licensee personnel.\n\n       Auditors further analyzed NSTS and credentialing services contract\n       documents to calculate contract costs directly related to the system\xe2\x80\x99s use.\n       Auditors also obtained staff hour data for fiscal year 2009 through the first\n       quarter of fiscal year 2010 to calculate staff hours charged for NSTS\n       operations.\n\n       This performance audit was conducted at NRC headquarters from\n       January 2010 through May 2010 in accordance with generally accepted\n       Government auditing standards. Those standards require that the audit is\n       planned and performed with the objective of obtaining sufficient,\n       appropriate evidence to provide a reasonable basis for any findings and\n       conclusions based on the stated audit objective. OIG believes that the\n       evidence obtained provides a reasonable basis for the report findings and\n       conclusions based on the audit objective. Internal controls related to the\n\n\n                                     24\n\x0c                 Audit of NRC\xe2\x80\x99s Deployment of the National Source Tracking System\n\n\naudit objective were reviewed and analyzed. Throughout the audit,\nauditors were aware of the possibility or existence of fraud, waste, or\nmisuse in the program. The audit work was conducted by Beth Serepca,\nTeam Leader; Paul Rades, Audit Manager; Robert Woodward, Audit\nManager; and Mitzi Lorette, Senior Auditor.\n\n\n\n\n                             25\n\x0c'